Working with PAM (Pluggable Authentication Modules) Scott McBrien Curriculum Manager, Red Hat
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Working with PAM (Pluggable Authentication Modules)Scott McBrienCurriculum Manager, Red Hat
What is PAM?
Configuration files
/etc/pam.d/
/etc/security/
Overview of configuration file locations and content
PAM Controls
required
sufficient
optional
include
requisite
substack (RHEL7)
Trace Through of auth Rules
Example: sshd
Trace through of sshd
What we saw: /etc/pam.d/sshd
auth required pam_sepermit.so
auth substack password-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >=1000 quiet_success
auth required pam_deny.so
auth include postlogin
(no auth rules in postlogin)
Managing Password Complexity
Managing Password Complexity
minlen
ocredit
dcredit
ucredit
lcredit
Using pam_tally2.so
Using pam_tally2.so in configuration files
Using pam_tally2 on the command line
Other Pointers
* Keep an already authenticated session open
* Order is important
* Remember password-auth vs. system-auth
Documentation
pam_* manual pages
/usr/share/doc/pam*
More security topics?
Red Hat Server Hardening (RH413)
http://www.redhat.com/training/courses/rh413
Materials available from http://people.redhat.com/~smcbrien
Related Documents
